Commentary and Possible Holes

The security of this program depends, to some extent, on the proper
operation of all of the system and compiler functions it calls. We
doubt if these programs have been subjected to a similar analysis to
assure that they retain confinement properties, and this introduces
potential problems.

Confinement Properties

Notwithstanding these limitations, the secure daemon described here
has been shown to enforce the confinement properties required for secure
operation against intentional abuse as well as many of the other
properties that are appropriate to secure daemon operation.

Integrity

From a standpoint of integrity, we believe that this daemon is very
safe and that it effectively protects the server it operates on from
corruption during its operation.

Availability

From a standpoint of denial of services, an attacker can use large
numbers of requests to cause some requests to fail by overrunning the
available number of files and processes on the server, however the
sequential nature of file access in this daemon and the fact that a very
small number of files are opened for only the minimum necessary time
reduces this vulnerability compared to insecure implementations.

Confidentiality

From a standpoint of confidentiality, we believe that these programs
are at least as strong as the environment they operate in and that they
do not lessen security whatsoever. Furthermore, the redundant
protection provided by defense-in-depth assures that even under
circumstances where leakage would be expected with other daemons, this
daemon provides effective protection. Only information explicitly made
available to outside access is released by this daemons.

Interrupts and Exceptions

The program has no interrupts and no exception conditions that are
not properly handled in its current operation. Even in cases where the
underlying environment changes during operation, the code operates
without causing any substantial security problems.